Peter Newton, “Director of Marketing” at American Express Australia Limited ABN 92 108 952 085, really likes Russian Mafiosa. Or maybe it’s Chinese Triads, bikie gangs, or maybe some local spivs operating out of a small rented smash repair shop near Beenleigh. Perhaps all of the above. Look at this email I got in my inbox this morning:
American Express email phishing attempt ... by American Express. Click to see full size.
This email is signed, with a little jpg at the bottom, “Peter Newton”, Director of Marketing, because, you know, that makes it more trustworthy. BTW, at the bottom of the email (not in the picture) it says “You can contact American Express Customer Service for further information. Unfortunately we can not accept incoming emails to this address”, snail mail only, FFS.
It appears quite clear to me that American Express possesses an unbelievable commitment to training their customers to accepting any roughly legitimate-looking email or incoming phone call (see below) as authentic, and having them hand over their valuable financial information to who knows what is at the other end. This email is totally incredible – but yet it is legitimate, I checked the linked addresses before I, nonetheless, still marked it as a “phishing attempt” in Gmail. Look at those security melting links! “If you have forgotten your user ID or password, please click here” (!!!). Amex, you are not some pissy little forum I visited once three years ago that can send an email with a link to the password recovery, you are a bloody financial service. This stuff is a massive security FAIL, you idiots.
I will note in passing that my bank has a line in their online banking website that says to the effect ‘we will never email you about this service’. They do send me an email that says “your online statements are available” but there’s not a single link in the email. Dear Amex, there is a good reason they never do that! Thank god my current credit balance is zero – although come to think of it that makes me more worried that someone could be stealing more of my credit limit right now.
As I hinted above with the comment about “incoming phone calls”, this is not the first time I’ve discovered that Amex likes to operate in complete contradiction to the rules of good security practice. A few years ago I was rung on my mobile phone by their customer service department; “This is xxx at American Express, we’d like to talk to you, but first can you identify yourself with the following information?”, ran the voice at the other end of the line. No amount of me saying otherwise could persuade them it was a very bad idea: “Well, if you are really Amex, you’ll have all that detail on file in front of you, perhaps you ought to tell me that information to prove you are who you say you are. After all you rang me … “ I said I’d call them back – the operator tried to give me the number but I cut her short and said I’d use the number I already have, thank you very much. After I cleared the issue, I asked to speak to their relevant people and attempted to explain what was wrong with the entire scenario, but I doubt it had much effect, they just claimed “procedure” and read me a lot of boilerplate about how secure they are. But they are not, and here’s the evidence.
Dolts.
